Microsoft to patch IE zero-day bug next week
Microsoft today said it will deliver six security updates on Tuesday, including one that will patch a vulnerability in Internet Explorer (IE) the company admitted only last week.
The updates will patch a total of 12 flaws in Windows, IE and Microsoft Office, the company said in a follow-up entry to its security response center's blog .
At the top of the patch list, even Microsoft's own, will be an update for IE 5.01, IE6, IE7 and IE8 that has been pegged as "critical," the firm's highest severity rating in its four-step scoring system.
The update will address an IE zero-day vulnerability that Microsoft confirmed Nov. 23 in a security advisory. "I want to point out that Internet Explorer 8 is not affected on any platform and that running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue," said Jerry Bryant, a spokesman for the Microsoft Security Response Center (MSRC), in a blog post announcing the advisory last week.
Microsoft's advisory was its reaction to proof-of-concept attack code that had gone public several days before, when it was posted to the popular Bugtraq security mailing list. The sample code exploited a flaw in IE's layout parser, and could be used to hijack fully-patched Windows machines.
Next Tuesday's update, however, will quash bugs in all still-supported versions of IE, not just IE6 and IE7, a fact Microsoft confirmed today . "We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday," Bryant said in another blog post.
The advisory Bryant called out was the one Microsoft issued last week. "We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly."
Microsoft's advance notification spelled out the significance of the problem with IE: All versions of its browser contain one or more flaws when run on Windows 2000, Windows XP, Vista, Server 2003 and even Windows 7. Only the company's newest server products -- Server 2008 and Server 2008 R2 -- are somewhat safer.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Security
Powered by TwitterOn Twitter now
Security
Brian Proffitt
SourceForge Balances Between Community, Lawmakers
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
Gaming: New DRM to combat piracy, drive away customers
Christopher Dawson
Google privacy woes: Can they be our cloud provider of choice?
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
sjvn
Who's really to blame for the Windows XP Patch BSOD?
claird
Web developers: There's no excuse for device incompatibility
19 Weird but Real Gadgets and Gizmos
Take a walk on tech's wild side with some of the strangest, most original, and most bizarre gadgets you've ever seen. We've got vacuums for your lawn, swimwear that can charge your iPod, and grenades that don't explode but still go boom. View slideshow.
See also:
